portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From a..@apache.org
Subject svn commit: r917580 - /portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/login/LoginProxyServlet.java
Date Mon, 01 Mar 2010 16:39:45 GMT
Author: ate
Date: Mon Mar  1 16:39:44 2010
New Revision: 917580

URL: http://svn.apache.org/viewvc?rev=917580&view=rev
Log:
Fix for JS2-1075 - possible cross site scripting during login and JS2-1076 - insecure redirector
during login
See:
  http://issues.apache.org/jira/browse/JS2-1075
  http://issues.apache.org/jira/browse/JS2-1076
  
Thanks for the report Radko Keves

Modified:
    portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/login/LoginProxyServlet.java

Modified: portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/login/LoginProxyServlet.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/login/LoginProxyServlet.java?rev=917580&r1=917579&r2=917580&view=diff
==============================================================================
--- portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/login/LoginProxyServlet.java
(original)
+++ portals/jetspeed-2/portal/trunk/components/jetspeed-portal/src/main/java/org/apache/jetspeed/login/LoginProxyServlet.java
Mon Mar  1 16:39:44 2010
@@ -27,6 +27,7 @@
 import javax.servlet.http.HttpServletResponse;
 import javax.servlet.http.HttpSession;
 
+import org.apache.commons.lang.StringEscapeUtils;
 import org.apache.jetspeed.Jetspeed;
 import org.apache.jetspeed.PortalReservedParameters;
 import org.apache.jetspeed.administration.PortalAuthenticationConfiguration;
@@ -64,19 +65,28 @@
 
         parameter = request.getParameter(LoginConstants.DESTINATION);
         if (parameter != null)
+        {
+            parameter = StringEscapeUtils.escapeHtml(parameter);
             session.setAttribute(LoginConstants.DESTINATION, parameter);
+        }
         else
             session.removeAttribute(LoginConstants.DESTINATION);
         if (credentialsFromRequest)
         {
             username = request.getParameter(LoginConstants.USERNAME);
             if (username != null)
+            {
+                username = StringEscapeUtils.escapeHtml(username);
                 session.setAttribute(LoginConstants.USERNAME, username);
+            }
             else
                 session.removeAttribute(LoginConstants.USERNAME);
             parameter = request.getParameter(LoginConstants.PASSWORD);
             if (parameter != null)
+            {
+                parameter = StringEscapeUtils.escapeHtml(parameter);
                 session.setAttribute(LoginConstants.PASSWORD, parameter);
+            }
             else
                 session.removeAttribute(LoginConstants.PASSWORD);
         }



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message